verification of authentication protocols: the past and the present

Verification of Authentication Protocols:

the Past and the Present

Why do we need to verify protocols even after we constructed them with so much care?

•There is a database of possible attacks on protocols, but new types of attacks crop up as history shows over and over again

•We need methods which are suitable to finding previously unknown attacks

Example: Needham-Schroeder’s PK protocol

•Originally created in 1978

•It took 15 years to find man-in-the-middle attack

•Formal logic (BAN) could not find the attack, i.e. the protocol was proven to be correct!

•It takes less than 1 min to find the attack using model-checking approach. The coding part takes no more than 1 hour.

•A B: {NA,A}PKB

•B A: {NA, NB} PKA

•A B: {NB} PKB

The Protocol’s Description

•A C: {NA,A} PKC

•C B: {NA,A} PKB

•B C: {NA, NB} PKA

•C A: {NA, NB} PKA

•A C: {NB} PKC

•C B: {NB} PKB

The Man-in-the-Middle Attack

Man-in-the-Middle Attack (cont’d)

•Discovery published in 1993 (15 years after the protocol was designed) by Gavin Lowe (Oxford, UK).

•Initially found manually

•Fixed and proved in 1995 using a combination of FDR (automated model-checking) and logical reasoning. The corrected version is called Needhame-Schroeder-Lowe PK protocol. The only modification is the 2nd message includes identity of B

SPIN and forward search techniques

•SPIN is a model-checking software based on Hoare’s CSP (communicating sequential processes) model

•One models the processes of legitimate users and the intruder. Intruder comes with Dolev-Yao capabilities and incorporates all malicious users. Intruder also has a legitimate identity.

•SPIN will go through all possible interleavings of steps taken by users and see if any red flags are raised

•This is a forward search technique, i.e. the processes that will participate are known in advance and all possible trails of interactions are modeled and checked

Problems with forward search techniques

•In authentication involving 2 users it is enough only to model legitimate users A and B and the intruder C, but one has to choose how many parallel sessions A and B are allowed to start. Therefore, negative result does not completely confirm that the protocol is secure

•The state-space explodes exponentially with additional parallel sessions. One has to limit them to 2 or 3. As a result, one has to resort to other methods to extend negative result to the protocol (for example using logical reasoning)

Motivation for Backward Search

• Let us look at the Needham-Schroeder’s protocol

• Receiver B needs to receive M1= {NANY, A}PKB and M2= {NB}PKB to successfully authenticate A.

• M2 can be generated by anyone who has the nonce. If it’s generated by someone other than intruder, attack will not succeed. For intruder to generate M2, it needs to receive NB in {N?, NB}PKI or {NB, N?}PKI or {NB}PKI

• To generate {N?, NB}PKI we need B to know that Intruder is trying to authenticate itself. This is not what we want

Motivation for Backward Search (cont’d)

• To generate {NB, N?}PKI , the intruder had to have initiated authentication with process “?” and have passed it {NB, Intruder}PK?. This message can be generated only by the intruder and it needs to have NB. We encounter a cycle

• To generate {NB}PKI, some user X has to initiate communication with the intruder.

• X needs to receive {NX, NB}PKX. This message can be generated only by B. In turn, B will need to receive {NX, A}PKB.

• {NX, A}PKB can not be generated by X, since it’s trying to contact Intruder. Therefore this message has to be generated by the intruder.

• For intruder to generate {NX, A}PKB , it needs to have the nonce which will be sent by X in its first message.

• Conclusion: we need one receiver B process, and one process X trying to initiate authentication with intruder. We can let X=A

Strand Spaces: building causal dependencies

1. Start with an initial set of causal dependencies and messages.

2. If a message is causally dependent on a message not present in the set, add that message

3. Continue until all dependencies are satisfied

4. Check which strands are contained in the resulting set.

Strands: what are they?

A’s strand would be

+{NA,A}PKB -{NA, NB, B} PKA +{NB} PKB

B’s strand is

-{NA,A}PKB +{NA, NB, B} PKA -{NB} PKB

Strands: what are they? (Cont’d)

A bundle formed by these strands is



This is a bundle for a legitimate run of the protocol and it is complete in the sense that on each strand all previous messages are included, and every message received in the bundle is actually sent in the bundle

Intruder strands have to be more flexible since it does not follow the protocol.Some of intruder’s strands are:

Similarly, strands that combine 2 messages into one can be defined as well as those decrypting message

Strands: what are intruder’s strands?

•+{t} where t is any text message•-g where g is any message•-{K} -h +{h}K which means that if intruder receives a key and a message, it can encrypt the message and send it out

Building a bundle for NSL

Suppose we have an acyclic bundle S that contains one run of B’s strand. We would like to prove that this bundle will also contain a run of A’s strand with corresponding nonces.

We start with the assumption that S contains the strand


We assume that NA NB and that NB uniquely originates in S on some strand. We want to prove that S must contain the strand



1. S must contain node +{NB} PKB. First we prove that this node is the only node that contains NB which does not include message {NA, NB, B} PKA. And causally leads to -{NB} PKB We also prove that node +{NB} PKB does not lie on an intruder’s strand. Let L denote the legitimate strand on which node +{NB} PKB lies.

2. All preceding nodes on L must also be in S. One can easily show that node -{NA, NB, B} PKA must precede +{NB} PKB on L, and that this node corresponds to +{NA, NB, B} PKA


As a result, S must contain the following:

+{NA, NB, B} PKA +{NB} PKB



Also, we can see that the upper strand must be A’s and therefore the picture becomes:

+{NA,A}PKB +{NA, NB, B} PKA +{NB} PKB


This proves that S must contain corresponding strand of A


Finally, we can show that we have only 1 strand with the same signature as the upper one. This shows uniqueness, i.e. the upper strand is not a replay.

How does this help us?

1. One need to be ADD-free and have good analytical abilities to analyze even a simple protocol like NSL!

2. Analysis of 5-step protocols can be published as monographs

3. One can do it with a pencil and paper by using logic without strand spaces

4. We can use model-checkers , let the program run for a week and come back for a result which is 99% accurate

5. Can we automate this strand-space approach?

D.Song’s Athena: automation of the strand-space approach

1. If the search terminates, a negative/positive result is produced.

2. The search does not always terminate but works for most useful protocols

3. State-explosion problem is alleviated through avoidance of asynchronous composition (i.e. going through all possible interleavings).

4. States may contain free-variables. Storage/CPU are thus more efficiently used since free variable states and their transitions represent infinitely many variable-free states/transitions.

5. Athena determines on-the-fly how many sessions need to be initiated.

D.Song’s Athena: automation of the strand-space approach

1. The idea is the following: given the strand of B, we look for all possible completions of this strand to a bundle and see if one of them does not contain corresponding strand of A.

2. Note that in the previous presentation there is a subtle issue: we ignore forwarding of messages by the intruder.

3. To ignore such situations we introduce the notion of goal-binding: if a message M1 has to be triggered by content T, we would “bind” M1 to the “minimal” positive node from which one can derive T.

4. Note that in a bundle every node that needs to be “binded” is actually “binded” within the bundle itself.

Athena: states

1. Suppose we start with a strand s. Let the set containing s be called C. Each time we add nodes to C, we make sure that given a node nC the nodes preceding n on its strand are also included. In this way, C is a “semi-bundle”: it’s backward closed under but not necessarily under

2. Note that a bundle is a particular case of a “semi-bundle”, and if a “semi-bundle” C has no “unbound” goals, then generally it’s also a bundle (in some degenerate cases intruder’s strands need to be added).

3. The “semi-bundles” encapsulate the notion of “state”

Athena: state-transitions

1. State-transitions map a “semi-bundle” C to a finite set of other semi-bundles that can be derived by causally completing C

2. To construct the next state, for each unbound goal we find a way to bind it. This way we produce a new semi-bundle. The set of all such semi-bundles is the next state. Note that free variables may arise in the next state

3. The algorithm itself works by expanding the semi-bundle to its maximum and seeing whether the result satisfies our needs. What if the expansion does not terminate?

4. Additional techniques for early detection of unreachability can speed up the process

Conclusions

1. Forward-search model-checking has limited effectiveness.

2. Backward-search avoids many of the previous problems but is harder (slightly) to code. In addition, it may not finish at all.

3. Manual methods of proving correctness can not be trusted completely (BAN logic for example), and one has to be patient and careful to verify the proofs.

4. Why not create protocols which are easily analyzed instead?

5. AGVI—Automatic Generation, Verification and Implementation of Security Protocols.

verification of authentication protocols: the past and the present

Documents